MZWriteScanner

Discussion in 'other anti-malware software' started by Mr.X, Feb 16, 2017.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,525
    Location:
    U.S.A. (South)
    Shut that thing off next time :isay:
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That "thing" is solid protection as proven, but yes for testing has to be shut off.
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    I tested it with all protections enabled, including AppGuard.
    It might be a "specific issue" in your case.
    But i don't want to speculate, after the response from the developer we'll know more.
    Keep us informed ;)
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Mood

    He responded and couldn't duplicate it either. I may ask if you can take a look with me later.

    Thanks,

    Pete
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,525
    Location:
    U.S.A. (South)
    Curious, but do you peeps who run and see positive results for yourself comfortable enough with the TRAY ICON color change feature for ALERTING?

    I been testing and am totally sold on it's protection AND at least on Windows 8.1 complete compatibility along with working well with a series of other security apps in place.

    I don't want to beat a dead horse here but like I said curious. But would anyone else like to see a toast/pop up feature to accent it visually or at the very least some added Audio Feature (similar to ERP) where on a CONFIRMED and LOGGED BLOCK MZWriteScanner might also issue a sound alert?

    Just wondering if that would be a bit much to expect.

    Yes I know, AS-IS the driver does the duty as expected with triggering the Tray Icon color, but Adding an active screen element might be too much to expect?

    Or is it unreasonable?
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    Perhaps something like a balloon message?
    In addition the path of the blocked file can be displayed in it...

    Tray.exe is based on AutoIt, so it shouldn't be hard for them to implement it
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not a bad idea. Sometime it's a while before I notice the color change. Good thing is whatever alerted can't execute. The downside is you be get a few more alerts and it could be annoying
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,525
    Location:
    U.S.A. (South)
    Pete.

    I honestly took that little issue to mind before posting the opinion/suggestion.

    True the block n logging wasn't stopped from the intended purpose due to that but because it happened at all, that gives some cause for interest (at least on this end) to just what might be a useful addition to strengthen the program's limited but potentially more useful aesthetics.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I agree it's a more obvious alert. But I have a hunch it could prove to annoying. I'd want to turn off everything but the way it is.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I think that it would be great as well to have an option to show operating system Toast/balloon popups and should be very easy for the developer to add this if someone suggests this to him. The Tray.exe binaries from all of his Excubits drivers likely follow the same codebase as his BouncerTray.exe tool from Bouncer. Bouncer has Toasts by default and therefore should easily be ported over the the other drivers' tray tools. There may even be a command line switch to enable it but I am not aware of all of the switches available. For Bouncer, personally, I disable the Toasts with "BouncerTray.exe nopopups" because I prefer to keep it as simple as possible. But I think that it would be good to have a choice so that users can enable those toast notifications if they would like them.

    If someone has time to email Florian to suggest these OS toast notifications, maybe also ask if there is already a built in command line switch as well. :)
     
  11. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    175
    Location:
    Europe
    I thinks there will be such functions very soon.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,525
    Location:
    U.S.A. (South)
    Fingers crossed LoL
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Easter. I don't think this what you are hoping for. It's only about alerts, etc, that you get from the tray applications. You still need to install the drivers manually(not hard), and still need to do the ini files manually) paying attention to the rules involved. Things that are critical are no spaces, unicode format, and a line space at the end of the file. None of it difficult once you get used to it.

    Is it worth it. Yep, I don't know of anything that really replace mzwritescanner's functionally save one or two of Excubits other drivers.
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    A question: Does MZWriteScanner do anything that NVT Process Logger Service doesn't do? @mood ?
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    What MZWritescanner does is 2 things. One you get a visible alert by the icon turning read. The 2nd thing is until you clear the log file, execution is blocked. That's the key.
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    Thanks for explaining. Sounds like I should give it a spin.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    \

    Note it detects exe,dll,sys,tmp's and bat files. Basically all executable types. Also it doesn't matter where they are dropped on your system. Since I have 3 internal drives, it detects drops and any of the drives.
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    Clearly I am doing something wrong. It is not installing properly?

    I right-click installed the .inf file but if I try and start MZWriteScanner I get: 'System Error 2 has occurred. The system cannot find the file specified.'

    Seems like some sort of access denied issue? I have AG and VS set to allow install.

    The tray icon is grey, and it cannot find the config.ini file.

    However if I sc delete MZWriteScanner, I get DeleteService SUCCESS.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    did you put the .ini file in c:\windows ? I think you will get that error if it isn't there. You have to manually copy it in.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    Ha! That did it, thanks Pete :thumb:. Must have missed that in the readme. RTFM :isay:.

    I remember doing that for FIDES, but did not click to do it now.

    Edit: Will run it in (non-lethal) LOGGING mode and see what it does.
     
    Last edited: Jun 2, 2017
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Go thru a couple of reboot cycles. Also be aware, the format is slightly different. If you'd like I can PM you my ini file. Basically you will get lilke a parent followed by the caret, then will come the blocked program followed by another caret which is followed by the sha256 stuff. You want what is between the carets.

    also the log file will have the info but it puts spaces in there. You have to take out the spaces.
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    I will do a couple of reboots tomorrow.
    If you could PM me your ini file, that will surely help.
    My system is not static; I do a lot of installs / updates so it may not be practical for me, but willing to give it a go.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    Your system can't change any more then mine. what i do is turn off MZ install new software, then turn it back on and watch what the log files show.

    Oh, and you must turn it off to do an uninstall or it will block it. Pain, but excellent protection.
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    :cautious:
    I wouldn't compare both applications, they are doing different things.
    MZWriteScanner is monitoring all dropped files which has a PE-header (.exe,.dll,.sys, ...) and if one file has been dropped to a "non-whitelisted location" (by default all locations which are not mentioned in the whitelist are automatically blacklisted), MZWriteScanner "remembers" the hash of the dropped file and even if malware is able to copy it from the blacklisted location to Program Files or to a whitelisted location, the file is still blocked.
    = Once detected, it has no chance to be executed.

    But beware, after a restart of the service or after a reboot, the previously dropped file will be able to be executed!

    Process Logger Service is only logging all Process Executions, it is not blocking anything.
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    Thanks @mood and @Peter2150 for the ini also. Will start playing with this.

    Will post here if I have questions :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.